topic Hi Srinath, ASA2 has incmp in Network Security

unable to ping Switch behind directly connected ASA

mahesh18 — Tue, 12 Mar 2019 05:08:38 GMT

Hi Everyone,

Here is setup ASA1-e0/0----192.168.1.171----------------e0/0---192.168.1.174 ---ASA2-----et0/1----10.2.0.1------fa1/0/1------10.2.0.2---Switch

I am pinging from ASA1

ASA1# ping 10.2.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Logs show

Nov 26 2014 21:24:26: %ASA-6-302020: Built outbound ICMP connection for faddr 10.2.0.2/0 gaddr 192.168.1.171/56999 laddr 192.168.1.171/56999

Nov 26 2014 21:24:36: %ASA-6-302021: Teardown ICMP connection for faddr 10.2.0.2/0 gaddr 192.168.1.171/56999 laddr 192.168.1.171/56999

ASA2 logs

Nov 26 2014 21:28:43: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.171/9199 gaddr 10.2.0.2/0 laddr 10.2.0.2/0
Nov 26 2014 21:28:53: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.171/9199 gaddr 10.2.0.2/0 laddr 10.2.0.2/0

Is this default behaviour ? or

i need some config change to fix this?

Regards

Mahesh

Hi Mahesh, Can you please

Srinath R — Thu, 27 Nov 2014 07:21:39 GMT

Hi Mahesh,

Can you please check if you have ICMP inspect on ASA2?

You should see "inspect icmp" in the output of "show run policy-map" under the global_policy.

If not, then run "fixup protocol icmp" from config mode and try again. If it still fails, please attach 'show tech' from both ASAs.

Regards,

Srinath

Hi Srinath, ASA2 has incmp

mahesh18 — Thu, 27 Nov 2014 16:37:12 GMT

Hi Srinath,

ASA2 has incmp inspect enabled.

These ASA's are in my home lab.

Can this be due to nating?

Regards

Mahesh

Hi Mahesh, Could you please

Srinath R — Fri, 28 Nov 2014 02:06:14 GMT

Hi Mahesh,

Could you please share the output of 'show tech' from both ASAs?

It would be easier to find the root cause from the outputs.

Based on the logs, it does not look like the ASA is dropping the packets.

Regards,

Srinath